Need a security feature, please

  • Resolved tommcgee

    (@tommcgee)


    6 years, 10 months ago

    Love the plugin except for one very big issue.

    The “Browse for file” button takes you all the way up to the document root. This exposes information that could be dangerous, like database passwords.

    I’m running it on a multisite installation, and it allows any user on any site to activate the plugin and browse for any file in the document root. It also allows users to select any files from any other user’s blogs.dir directory and make those downloadable, too. This is all obviously unacceptable.

    Even on a single-site installation it sounds sketchy. An inexperienced user could open up a wp-config.php file to the public, for example.

    Every time I update this plugin I have to go in and manually disable that feature. It would be great if on multisite installations the super-admin had an option to globally turn off the file browser.

Viewing 1 replies (of 1 total)

  • Hey,

    This sounds like an interesting feature indeed. The user is able to add file all the way from web dir root because many users choose to upload their files there via FTP. I’ve added your idea as a feature to our repository: https://github.com/download-monitor/download-monitor/issues/469
    You can follow progress on the feature there.

    As a related sidenote, you can move you wp-config.php file a level above your HTTP/web root directory. WordPress will scan there automatically if none is found in the root directory.

    Kind Regards,

    Barry Kooij

Viewing 1 replies (of 1 total)
  • The topic ‘Need a security feature, please’ is closed to new replies.